On 11/10/2005 09:41, Douglas Otis wrote: > > On 11/09/2005 11:15, Douglas Otis wrote: > >> A verified signer for the message could improve the results of filtering > >> applications like Spamassassin. As this is your primary mechanism, > >> improving these applications would benefit you significantly. A general > >> requirement that From matches the signer will not be reduce the amount > >> of spam, as spammers adapt. > > > > You keep saying that. I don't believe you. > > > > A verified identity is useful for whitelisting. I manage that well > > enough already, so it's not a problem I need help solving. > > > > No matter what you do with hueristics, you are only modulating an > > approach that will only ever be so good. What we need is more > > deterministic solutions and less dependence on heuristics. > > What would you use when all spammers sign their email where their From > matches the signer? > First, I'm not saying a don't think heuristics will always be necessary. They will.
Second, then they aren't sending e-mail from my domain anymore. That's a victory. Third, now I have a good name basis for blacklisting. That's a victory. Fourth, yes, they can go register new domains, but adding DKIM to the mix increases the complexity/cost of solving the problem for them. The more expensive spam gets, the less of it there will be. My original point was that if you take a unitary hueristic analysis and break it into two parts (content and name) it doesn't necessarily give you a better result. It may be marginally better. I think it's unlikely to be substantially worse, but it's not at all clear to me that it's enough better to be worth going through the hoops you are proposing. > > I may well have to set up a sub-domain for list traffic. It would be a > > minor inconvenience. As you can see by the From address I use on this > > list, I already set up dedicated From addresses for mailing lists. I > > already deliver these into a separate mail box. Adding a sub-domain for > > it would be a one time 10 minute job. It's not something I'm > > particularly concerned about. > > > > Additionally, if there isn't a general solution to the DKIM/Mailing List > > incompatability, then I expect that receivers that want to receive mail > > from mailing lists will white list lists that they subscribe to and no > > reject messages that are outside the domain's SSP from those lists. Yes, > > it's more administrative burden, but it's a one time burden per list that > > can be reasonably well automated. > > What is the desired goal that requires this sizable effort for managing > these white-lists and extra email-addresses? > It's a work around if the working group doesn't come up with a satisfactory solution to mailing lists breaking DKIM signatures. The desired goal would to avoid going to the effort of attempting to validate signatures that aren't going to validate. > >> Ensuring the signer is able to control abuse of the signature does not > >> detract from the benefits that you would enjoy, but it does allow the > >> use of a name-based reputation. The self-revocation mechanism that has > >> been suggested would also benefit those that do not use a reputation > >> service. These self revocations would be driven by reputation feedback. > >> This would be a way to share the benefits of reputation. : ) > > > > It sounds like you are saying that I'll be able to self-revoke based on > > results from a reputation service that I don't use. I don't think this > > is any more sensible than the rest of what you are proposing. > > Abuse@ emails or even phone calls provide you feedback. If this feedback > is about message replay abuse, then being able to curtail and even prevent > replay abuse ensures this does not become a common exploit. Self > revocation shares this valuable feedback. > OK. So what you are saying is that replay protection has value independent of reputation service? I can see the potential in that. > > Getting SSP right would be of much greater value to me that going off on > > the tangent that you propose. > > You are advocating changing email practices. Allowing current practices > is not a tangent. Perhaps the MUA address book could also capture the > signing-domains to detect possible spoofs without forcing a general > association of the From/signer. It seems From/signer restrictions only > make sense for a small number of domains. > Sure I am. I think e-mail is broken enough today that things have to change (can't make an omlette without breaking some eggs). The question is how. I'd like to change e-mail so that fraudsters and spammers have less success. By the time you get to the MUA, IMO, the battle is over. SSP is an MTA level tool to solve an MTA level problem. I'd rather keep the users out of this entirely if possible (I know it won't be possible, but it should be minimized). I'm not sure how many domains From/signer restrictions make sense for. I am confident that the number is non-zero. Restrictive SSP should be allowed, but not mandated. Scott K _______________________________________________ ietf-dkim mailing list http://dkim.org
